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Web based applications have become predominant 

in the enterprise data center. They allow sophisticated 
applications to run from virtually any PC, netbook, 
tablet or smartphone. They are generally easier to use, 
lower cost and faster to deploy than traditional client 
side applications. To allow these web applications to 
run, the network ports through which the web 
application traffic flows are configured to be open 
(allowed) on a standard firewall. Unfortunately, over 70 
percent of successful attacks now exploit 

application vulnerabilities using these open ports. To 
mitigate these vulnerabilities, a Web Application 
Firewall (WAF) is now a necessity for all enterprise data 
centers. WAFs secure the web applications and 
communications by blocking the attacks that 
traditional firewalls are not designed to protect against. 


How Applications Are Attacked 


While it is appropriate to allow bona fide users to access web applications, neither 
users nor hackers should be allowed to abuse the access given. Unfortunately there 
are often vulnerabilities in web applications and attackers exploit these vulnerabilities. 
By sending data in a web page URL that causes the backend application to 
malfunction, the attacker can gain control of backend resources such as databases. 
The potential fallout of a data breech in a large enterprise can be devastating. Millions 
of dollars are lost, and companies have been forced out of business from such attacks. 


Protecting Applications Against Attack with NetScaler Application 
Firewall 


Citrix® NetScaler Application Firewall is a comprehensive ICSA certified web 
application security solution that blocks Known and unknown attacks against web and 
web services applications. NetScaler Application Firewall enforces a hybrid security 
model that permits only correct application behavior and efficiently scans and protects 
known application vulnerabilities. It analyzes all bi-directional traffic, including 
SSL-encrypted communication, to protect against a broad range of security threats 
without any modification to applications. 
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Below are the key protection tactics employed by NetScaler Application Firewall: 
e Cross-Site Scripting 

e Cross-Site Request Forgery 

e SQL Injection 

e XML Security 

e Buffer Overflow 

e Data Theft 


Customization of the WAF rules to match applications allows attacks to be 
identified and blocked. The effort and knowledge to manage this rules set however 
can be time consuming. The rule set needs to be reviewed often and always when 
a back end application system is added or modified. 


To keep the WAF up to date, there are two steps needed. Firstly to identify the 
vulnerabilities of all applications both hosted in the enterprise and those hosted off 
site. Second is to update the WAF policies to protect against any identified 
vulnerability. 


Keeping these two in sync and being sure that the right policies are in place can 
be a challenge. 


Understanding Application Vulnerabilities with Qualys 


QualysGuard Web Application Scanning (WAS) identifies web application 
vulnerabilities that can then be used to automatically create rules for the NetScaler 
Application Firewall to prevent malicious users from exploiting the vulnerabilities. 
Thanks to this integration, customers can quickly mitigate the vulnerabilities 
discovered by QualysGuard WAS with NetScaler Application Firewall and reduce 
the risk exposure of the business supported by the vulnerable web applications. 


Web application scanning helps to identify vulnerabilities that are traditionally fixed 
by developers with patches. The problem is that it can take days or weeks to 
deploy the patches in production and that leaves the web applications vulnerable 
to attacks if no other counter measure are taken. 


The integration of QualysGuard web application vulnerability scanner with Citrix 
NetScaler can be used to quickly protect the web applications while application 
developers takes time to assess the risk and implement the best application level 
controls or patch to remediate the application. 


By using the QualysGuard WAS scan results to create virtual patching in Citrix 
NetScaler WAF for the application, the window of risk due to the vulnerability is 
closed in a much shorter period of time than with the traditional approach. 


Citrix NetScaler Application Firewall combined with Qualys WAS simplifies the 
complexity and reduces the risk of error while delivering cost reductions. This is 
achieved by: 


e Reducing the resources required to perform web application security tasks by 
automating the vulnerability assessment of all web applications. 


e Leveraging the Qualys elastic cloud platform that removes the burden of 
installing and maintaining software. 


e — Enabling collaboration between and organization’s application security 
stakeholders. 


e Performing WebApp scans hosted inside the network or outside of the 
organization without deploying additional physical of virtual scanners. 
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Summary of the Benefits from Qualys and Citrix NetScaler 
Integration 


The Citrix NetScaler Application Firewall integration with QualysGuard provides 
the following benefits: 


e Ascalable and highly automated web application scanning with 
QualysGuard that provides insight to increase the Citrix NetScaler 
Application Firewall level of detection based on the actual vulnerabilities 
detected. 


e Eliminates the need to have access to the web application develooment 
team in order to create a “virtual patch” on the application itself or any 
underlying system. 


e Quickly protects against identified web application vulnerabilities without 
involving or impacting application development timelines. 


e Reduces the exploitation time window by ensuring organizations take the 
time to create to best application level controls instead of rushing out an 
untested patch that may cause other problems to the web application. 


e NetScaler Application Firewall protects web servers without degrading 
throughput or application response times. It blocks application-level and 
other attacks, at over a gigabit per second throughput. 


e NetScaler Application Firewall hybrid security model blocks all known and 
day-zero application-layer attacks. Web application behavior deviating from 
normal application use is treated as potentially malicious and blocked. A 
second level of protection is provided through the efficient scanning of 
thousands of automatically updated signatures. 


e NetScaler has many other security features providing a multi-layer security 
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About Citrix Ready 


Citrix Ready identifies recommended solutions that are trusted to enhance the Citrix Delivery Center infrastructure. All products featured 
in Citrix Ready have completed verification testing, thereby providing confidence in joint solution compatibility. Leveraging its industry 
leading alliances and partner eco-system, Citrix Ready showcases select trusted solutions designed to meet a variety of business needs. 
Through the online catalog and Citrix Ready branding program, you can easily find and build a trusted infrastructure. Citrix Ready not only 
demonstrates current mutual product compatibility, but through continued industry relationships also ensures future interoperability. 

Learn more at www.citrix.com/ready. 
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